disable sa lifetime KB?

Unanswered Question
Apr 30th, 2009
User Badges:

On the ASAs (8.x) when i creare a crypto map it automagically adds:

set security-association lifetime kilobytes 4608000



I have been able to change the number of kilobytes but have not been able to remove this setting entirely for tunnels where we do not want to have a lifetime based on kilobytes but rather only on time.


How do I remove this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 04/30/2009 - 10:38
User Badges:
  • Purple, 4500 points or more

I don't have the same problem you are.


Try this:


no crypt map set security-association life kil 4608000


crypt map set security-association lifetime seconds


It may not let you do this while the tunnel is established though.


HTH,

John

slug420 Thu, 04/30/2009 - 10:55
User Badges:

I tried that...it didnt go anywhere. That is actually what they list in the documentation as a way to remove this setting...doesnt seem to work though.

John Blakley Thu, 04/30/2009 - 11:01
User Badges:
  • Purple, 4500 points or more

I was able to reproduce it.


Type:


no ipsec security-association lifetime kilo


It sets a default, and it should remove it from your crypto map.


John


slug420 Thu, 04/30/2009 - 11:06
User Badges:

im lost...did it set it to the default (this is what I found) or did it remove it from the crypto map (this did not happen for me)

John Blakley Thu, 04/30/2009 - 11:08
User Badges:
  • Purple, 4500 points or more

I removed my crypto map and recreated another one:


I had two lifetime settings in my crypto map after setting it, but I was able to remove the one that wasn't the default.


So if you set your lifetime to seconds, you should be able to remove you kb one with "no crypt map security-association...."


John


slug420 Thu, 04/30/2009 - 11:15
User Badges:

interesting, was this in 8.x? I will have to try that.


Maybe my lifetime in seconds was still at the default setting when i was trying to remove the kb one...

John Blakley Thu, 04/30/2009 - 11:17
User Badges:
  • Purple, 4500 points or more

When I run the ipsec security.... it automatically adds it to my existing crypto maps. I still couldn't remove it from the crypto map with "no crypto...", but I could remove it with "no ipsec security...."


And I'm running 8.0(3) on mine.


HTH,

John

Richard Burts Thu, 04/30/2009 - 10:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


I do not believe that there is an option to remove the kilobits lifetime. You can set it to a very high value (2147483647 K on my ASA) to reduce the chance that it will be exceeded. But I do not believe that you can remove it.


It is a basic part of the specification of IPSec. The thought behind it is similar to the thought behind the time based lifetime: the longer the Security Association uses the same keys (or the more data is transmitted using the same keys) the better chance some intruder has of breaking the keys. Why would you want to remove this protection.


HTH


Rick

slug420 Thu, 04/30/2009 - 11:02
User Badges:

I am pretty sure 6.x did not have this enabled by default and as far as I know there were no security compromises as a result. I think setting either the time or the KB is sufficient security.


I just built a tunnel with someone and they had a preference to not use the KB lifetime and only use the time lifetime. I had no problem with this since i think the KB lifetime is not necessary but I was unable to meet their requested settings and had to make them add a KB lifetime.


Also worth noting the KB lifetime set by default is greater than the maximum KB lifetime on checkpoint firewalls...so if you are building a VPN to a CP you have to change this setting....


Generally speaking I would rather not have something set if I dont know why it is needed and if its value was arbitrarily chosen....just one more thing to cause problems.

John Blakley Thu, 04/30/2009 - 11:03
User Badges:
  • Purple, 4500 points or more

Oh, and to change your default, you can type:


ipsec security-association lifetime seconds


HTH,

John

John Blakley Thu, 04/30/2009 - 11:15
User Badges:
  • Purple, 4500 points or more

Try this:


no ipsec security-association lifetime kilobytes


That should remove it from your crypto map and then you can specify in your map what you want.


Let me know, I'm curious =)


John






Richard Burts Thu, 04/30/2009 - 18:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


You and John are discussing whether you can get the statement to not show up in the config file. Given the Cisco practice that default values generally do not show up in the running config, making it not show in the running config is not necessarily the same as not having it active.


I have never done a show crypto map that there was not a crypto lifetime in kilobytes. I do not believe that Cisco gives you the option to disable lifetime in kilobytes.


HTH


Rick

Actions

This Discussion